Plataforma
wordpress
Componente
charitable
Corrigido em
1.7.1
CVE-2023-4404 represents a critical privilege escalation vulnerability discovered in the Donation Forms by Charitable plugin for WordPress. This flaw allows unauthenticated attackers to manipulate user roles during registration, potentially gaining unauthorized access and control. The vulnerability affects versions up to and including 1.7.0.12. A patch has been released to address this issue.
The impact of CVE-2023-4404 is significant due to its ease of exploitation and the potential for widespread compromise. An unauthenticated attacker can leverage this vulnerability to assign themselves an administrator role or other privileged roles during the user registration process. This grants them full control over the WordPress site, enabling them to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire system. The lack of authentication required for exploitation significantly broadens the attack surface, making many WordPress sites vulnerable. This vulnerability shares similarities with other privilege escalation flaws where improper role assignment can lead to unauthorized access.
CVE-2023-4404 was publicly disclosed on August 23, 2023. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the criticality of the vulnerability suggest a high probability of exploitation. Public proof-of-concept code is likely to emerge, increasing the risk. The vulnerability is tracked by CISA and is considered a high-priority issue.
WordPress sites utilizing the Donation Forms by Charitable plugin, particularly those running versions prior to 1.7.0.12, are at significant risk. Shared hosting environments where multiple WordPress sites share the same server infrastructure are especially vulnerable, as a compromise of one site could potentially lead to lateral movement and compromise of others. Sites with weak user registration security practices are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep Charitable• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'update_core_user' /var/www/html/wp-content/plugins/charitable/• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=charitable_register_user&role=administrator | head -n 1disclosure
Status do Exploit
EPSS
0.24% (percentil 47%)
Vetor CVSS
The primary mitigation for CVE-2023-4404 is to immediately upgrade the Donation Forms by Charitable plugin to the latest available version, which contains the necessary fix. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily disabling user registration on the WordPress site to prevent new accounts from being exploited. While not a complete solution, implementing strict user role validation and access controls within the WordPress configuration can help limit the potential damage if the vulnerability is exploited. Reviewing user roles and permissions regularly is also recommended.
Actualice el plugin Donation Forms by Charitable a la última versión disponible. Esto corregirá la vulnerabilidad de escalada de privilegios permitiendo que solo usuarios autorizados modifiquen los roles de otros usuarios.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2023-4404 is a critical vulnerability in the Donation Forms by Charitable WordPress plugin allowing unauthenticated attackers to escalate privileges during user registration, potentially gaining admin access.
If you are using Donation Forms by Charitable plugin versions 1.7.0.12 or earlier, you are vulnerable to this privilege escalation flaw.
Upgrade the Donation Forms by Charitable plugin to the latest version available. If upgrading is not possible immediately, disable user registration as a temporary workaround.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's criticality and ease of exploitation suggest a high probability of exploitation.
Refer to the official Donation Forms by Charitable plugin website or the WordPress plugin repository for the latest security advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.